Back in August 2015, DoD issued an interim rule, which was effective immediately (and was previously discussed on this blog), imposing substantial new requirements on government contractors with respect to reporting information system network penetrations—and providing new cloud computing requirements. Six weeks later, DoD issued a class deviation giving contractors more time to comply with one of the technical requirements being applied by the new DFARS clauses included with the new rule. Last week, DoD again revised the rule to give contractors more time to comply with many of the new technical standards. Specifically, the revised DFARS provision makes clear that contractors have until December 31, 2017 to comply with the technical standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171.
NIST 800-171 describes a series of procedures for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” These NIST requirements cover a wide array of security issues applicable to contractors’ information systems and are intended to ensure the security of government information that is provided to contractors so that the companies can provide goods and services to DoD.
Initially, DoD made the NIST 800-171 requirements immediately applicable to the large number of businesses that either have a “covered contractor information system” or have “covered defense information transiting their information systems” as part of their contract performance. DoD’s class deviation in October relaxed the standard slightly by amending the DFARS clauses to allow contractors up to nine months (from the date of a new contract award) to comply with section 3.5.3 of NIST 800-171. That section mandates “multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” (Multifactor authentication requires two or more types of information, e.g., a password and a cryptographic device such as a token, to gain access to the government information.)
Many contractors were unhappy with the unrealistic implementation schedule imposed by the initial (and revised) DFARS provision, and they made their concerns clear to DoD in comments and during a December 14 meeting conducted by the Department to obtain additional feedback. Contractors expressed the need for additional time to analyze the scope of changes that were necessary for their systems—and to implement those changes.
To its credit, DoD modified the DFARS clauses to “provide offerors [contractors] additional time to implement the security requirements specified by NIST 800-171.” Each contractors will now be required to agree, by submitting an offer for a DoD procurement in which DoD information will be provided to contractors, that all of the contractor’s systems will be compliant with NIST 800-171 “not later than December 31, 2017.” Notably, the same requirements must be flowed down in all “subcontracts, or similar contractual instruments, for services that include support for” the goods or services being provided under a contract to which the DFARS clauses apply.
Although the additional time to achieve compliance with NIST 800-171’s requirements is helpful, the new DFARS clauses also impose an additional requirement that must be understood by contractors. “The second interim rule requires contractors, within 30 days of contract award, to notify the DoD Chief Information Officer of any NIST SP 800-171 security requirements that are not implemented at the time of contract award.” Accordingly, contractors will need to track where they are on the path to compliance with 800-171’s requirements so that accurate reports identifying gaps can be provided to the DoD each time contract performance begins under a new award.